Fraud in Electronic Payments

Fraud in Electronic Payments

By David Guerin, Trintech Group Plc

November 2003 www.trintech.com

Fraud in Electronic Payments

Author: David Guerin Trintech Group Plc Contact: david.guerin@trintech.com

References
1. CyberSource Online Fraud Report 2002 (Conducted by Mindwave Research) 2. CNET News

Fraud in Electronic Payments

Table of Contents
Executive Summary ........................................................................................................5 Sources of Fraud.............................................................................................................6 Merchant Fraud............................................................................................................6 Cardholder Fraud .........................................................................................................7 Third Party / Cross-Border Fraud .................................................................................7 Stolen Cards ............................................................................................................7 Skimming .................................................................................................................8 ATM Fraud...............................................................................................................8 Counterfeit Cards.....................................................................................................9 Card-Not-Present Fraud ...............................................................................................9 Increased Risk .........................................................................................................9 Mail Order Telephone Order ....................................................................................9 Internet ....................................................................................................................9 Risk of Aggregation................................................................................................10 Identity Theft ..............................................................................................................10 Fraud Prevention Techniques .......................................................................................12 Hologram ...................................................................................................................12 Photo ID .....................................................................................................................12 Special Characters .....................................................................................................12 Expiration Date...........................................................................................................12 Signature Panel..........................................................................................................12 LUHN Verification.......................................................................................................13 Ultra-Violet Printing ....................................................................................................13 Magnetic Stripe ..........................................................................................................13 Card Verification Numbers .........................................................................................13 Hot Card Lists ............................................................................................................13 Online PIN..................................................................................................................14 Address Verification Service.......................................................................................14 Chip Cards .................................................................................................................14 Fraud Screening Tools ...............................................................................................15 Internet Payment Security Methods...............................................................................17 SSL / TLS...................................................................................................................17 Electronic Commerce Indicator...................................................................................17

Fraud in Electronic Payments

Manual Procedures ....................................................................................................17 One-Click Shopping ...................................................................................................19 SET Secure Electronic Transaction ........................................................................19 Verified By Visa ..........................................................................................................19 MasterCard SPA/UCAF and SecureCode ..................................................................20 Maestro Payment over the Internet ............................................................................21 Transaction Liability Rules..........................................................................................21 Future Trends ...............................................................................................................22

Fraud in Electronic Payments

Executive Summary
Consumer confidence and bank profits are persistently and pervasively undermined by electronic payment fraud. Over the years, fraud in card payments has increased in line with overall card volume growth, remaining at around 3% of transaction volume. Fraud tends to flow to the weakest point and, as soon as security is tightened up in one area, fraudsters are quick to move to the next point of least resistance. For example, the card organizations have developed mechanisms, such as Card Verification Value from Visa, that tackle card present fraud. However, there has been a rise in the level of card-not-present fraud in consumer channels such as Mail Order Telephone Order (MOTO) and the Internet. Internet fraud in particular has caused many headaches for acquirers. Today, the rate of fraud for Internet purchases is up to 22 times that of card-present transactions. Such fraud levels have led acquirers servicing Internet-only merchants to seek high merchant service charge (MSC) levels or up front payments as provision for risk. Some acquirers, meanwhile, have chosen to avoid the eCommerce business completely. This has further increased costs for many Internet merchants who are already hard pressed to maintain profitability when faced with the lost time and revenues associated with fraud. Whereas an acquirer can choose not to handle Internet transactions, an issuer has little control over where the cardholder uses his card. However, despite the relatively high percentage of fraud and disputes within the Internet channel, the current low volume of Internet transactions (on average 2% of transaction volumes) has allowed issuers to manage the cost and the overall impact to their profitability. Losses from cross-border fraud and counterfeit cards are on the increase worldwide, demonstrating that fraudsters have found ways around many of todays card-present security tools. For example, fraud from these sources is estimated to be costing UK banks up to 22 million a year. Existing physical security mechanisms used in magnetic stripe cards have been largely mastered by counterfeiters often operating out of Far Eastern countries allowing them to create or reproduce cards for use in both card present and card-not-present situations. The rollout of EMV chip technology is now seen as a critical short-term step in addressing such fraud. Despite the real financial pain that many merchants are experiencing, the approach of many merchants to fraud detection is haphazard, manual and uncoordinated, with under-investment in fraud prevention causing a problem throughout the whole industry. Indeed, card organizations such as Visa have initiated programs to identify merchants with higher than normal fraud rates with a view to applying penalties where necessary. It is growing clear to all players in the payments industry that continued growth in fraud is a real threat to revenue growth and consumer confidence. The attitude is changing from seeing fraud as an annoying but inescapable cost, to seeing fraud as a real threat to profitability that must be tackled head-on.

Fraud in Electronic Payments

Sources of Fraud
In this section, the main sources of card are discussed merchant fraud, cardholder fraud, third-party fraud, card not-present fraud and identity theft.

Merchant Fraud
Merchant-originated fraud ranges from honest merchants with a dishonest member of staff, to a dishonest or fake merchant that is operating in collusion with fraudsters. In all merchant environments, employees have a great deal of access to sensitive cardholder information. In physical retail locations, employees have access to card numbers and expiration dates, as well as access to the magnetic stripe on the card. In many Internet and MOTO, merchants are asking cardholders to provide some private identity details such as a home phone number or social security number that can be used to authenticate the cardholder on subsequent purchases (see section on Identity Theft). While these merchants may have been diligent enough to protect their databases from outside attack via firewalls and encryption, they may not have invested in obscuring the sensitive cardholder information from their own staff. Bogus merchants may appear on the Internet or even the physical world. A common scam is for a new merchant to conduct several transactions that appear genuine during the probation period after the merchant is acquired, but then to submit a number of highvalue fraudulent transactions against non-participating cardholders. A merchant that portrays itself to be in a sector such as holiday bookings can establish a perfect cover for high value sales. By the time the genuine cardholders have noticed the fraud on their statements; the bogus merchant will have absconded with the payments received from the acquirer. On the web, an Internet merchant site may not be what it appears to be, preying on the carelessness of Internet surfers who may have miss-typed a URL or have simply tried to guess the URL of a well known bricks & mortar store. In other instances, emails are sent to cardholders with a bogus website address that directs them to the fraudulent merchant. In such cases, the URL of the fraudulent store may differ only by a few characters from the genuine store and the fraudsters may have completely recreated the look and feel of the genuine merchants web store. Unless the consumer notices the difference in the URL, he will feel confident enough to fill in his payment and address information that can then be used by the fraudster. By the time the consumer realizes that no goods have been delivered and attempts to contact the real merchant, his payment details will most likely have been used many times for fraudulent purchases.

Fraud in Electronic Payments

Cardholder Fraud
This category refers to instances where the fraud is being generated by the named cardholder, rather than by someone pretending to be the cardholder. Typically, the cardholder takes advantage of the liability for fraud, which the merchant bears for MOTO transactions and for Internet transactions not secured by Verified by Visa or MasterCard SecureCode (see later). In this scenario, the named cardholder carries out the transaction using their payment card, receives the goods, and later contacts his bank to dispute that he carried out the transaction or alternatively that he did carry out the transaction but did not receive the goods. Where the goods have been physically shipped to the cardholders address, there have been cases where the cardholder asserts that a third party sharing or visiting his residence used his card without authorization. In this situation, the card payments dispute may actually succeed, leaving the merchant with the options of either writing off the fraud or suing the consumer through the courts. In card-present environments, dishonest cardholders may look for an opportunity to take the customer copy of the receipt and the signed merchant copy of the receipt. This leaves the cardholder free to dispute the transaction with their issuing bank since the merchant will be unable to produce a signed receipt. In these circumstances, the merchant may consider pursuing the consumer through the courts for fraud if he has alternative evidence that the purchase took place and can identify the cardholder perhaps through CCTV footage taken at the store. The card organizations have introduced risk management technologies that issuers can use to track a cardholders transaction habits. Where an issuer observes that a cardholder is making a habit of raising disputes and suspects fraud then the issuer may terminate the cardholder agreement. However, in countries where consumers move often from bank to bank to seek out lower interest rates or benefits it can be hard to spot a fraudster who changes banks with intent to commit fraud.

Third Party / Cross-Border Fraud

The majority of overall card fraud takes place by people who have obtained one or more cardholders payment or personal details without approval, and use the payment details or a counterfeit card to make purchases. For example, in the UK, third party fraud cost the industry 277 million, 50% of total fraud. There are a variety of ways in which fraudsters may obtain such payment details, and the patterns of fraudulent usage will differ in each case. Stolen Cards In the case of stolen cards, the fraudster will usually move quickly to make as many purchases as possible within the window of time until the card is reported as stolen and blocked by the issuing bank. In some cases the cardholder may not be aware for a period of time that his card is missing, providing more time for the fraudster to act. Authorization floor limits are amount thresholds used in dual-message environments below which purchases do not have to be authorized by the merchant, introduced to reduce the cost of merchant phone calls. In some European countries, knowledgeable fraudsters will specifically target stores with a transaction amount that is just below the

Fraud in Electronic Payments

merchants authorization floor limit to maximize the usage of the card even when it is blocked by the card issuer. Eventually, such cards may be sold abroad for use in countries with poor telecommunications networks where some merchants still rely on imprinting of cards onto vouchers, with no online authorization mechanism.

Skimming Skimming is the copying of the information from the magnetic stripe of a card in order to create a counterfeit copy of the card. This is particularly common at restaurants and hotels where the card is authorized out-of-sight of the cardholder. This allows an unscrupulous desk clerk or waiter to run the card through a small skimming device that extracts the information contained on the magnetic stripe. Once the electronic copy of the magnetic stripe is available, it can be easily written to the magnetic strip of a counterfeit card and used for card present transactions. The signature of the fraudster will obviously match the signature on the back of the counterfeit card, so the merchant will have little opportunity to detect the fraud. In some instances, known as white plastic fraud, the fraudster will just reproduce the magnetic stripe on a blank card and work in collusion with a merchant to authorize cash-back transactions. There is evidence that card-skimming fraudsters are highly organized and that the contents of magnetic stripes stolen in this way may be sent abroad on many occasions. Also, because counterfeit cards are reproduced without the knowledge of the cardholder, fraud can take place up until the cardholder receives their monthly statement with the fraudulent charges included. ATM Fraud Fraud at ATMs is very low compared to other types of fraud due to the mandatory use of four digit PINs that are always verified online by the card issuer. The most common types of ATM fraud occur are skimming, theft of PIN, and robbery. In the case of skimming, fraudsters will typically insert a very slim device into the card slot in the ATM itself, which is capable of capturing the contents of the magnetic strip as the card is inserted into the ATM by the cardholder. Where possible, the device will also have a micro camera included that records a video of the cardholder entering his PIN. This combination allows the fraudsters to create a counterfeit card and use it for ATM withdrawals until the cardholder detects the fraud, which could be several days or weeks if the cardholder does not regularly check his account. Where a fraudster does not have access to such high-tech equipment, he may resort to looking over their shoulder to take note of the cardholders PIN. This is known to some as shoulder surfing. Once the thief knows the PIN, they attempt to steal the card from cardholder to use for cash withdrawals. A common and unsophisticated method of ATM crime is robbing the cardholder by forcing them to make a cash withdrawal with their card.

Fraud in Electronic Payments

Counterfeit Cards Organized criminal gangs, often operating in Asia-Pacific, counterfeit cards in large numbers using card embossing equipment. Card numbers are generated at random but the fraudsters will filter out those that fail the LUHN verification algorithm that is used by most issuers and POS terminals to verify the card number on a card is genuine. The card numbers may be attributed to a real cardholder and may be used to make physical counterfeit cards or may be used just for MOTO and Internet purchases that do not require the creation of a physical card.

Card-Not-Present Fraud
Increased Risk Card-not-present environments are the greatest risk areas for fraud generated either by consumers or merchants. Where neither party has physical contact with each other and interact only though phone numbers or web sites then the risk increases many times over of one of the parties not being what they appear to be. Many of the types of fraud described previously by merchants, cardholders or third parties apply particularly in card-not-present environments because of the lack of contact between the parties to the transaction. Mail Order Telephone Order Mail Order has been a means of marketing chosen by a number of low-cost merchants who wish to avoid the high costs of maintaining physical outlets. In the US and the UK where the Address Verification Service (see later) operates, such merchants may verify that the delivery address matches the billing address of the buyer and may refuse to ship to a different address. Also, in the UK and other countries, such merchants also use documents such as the Electoral Register and even the Telephone Directory to verify that the delivery address corresponds to the name of the buyer. Generally, the merchants who remain in this sector have reached a balance point where their cost of fraud is outweighed by their low operating costs and the levels of repeat business from regular customers is significant. Also, the fact that MOTO business tends to stay within national boundaries allows merchants to use local forms of consumer verification. Internet The growth of the Internet has provided a rich medium for fraudsters due to the anonymity it provides and its global reach across national boundaries. Its global nature means that it is very difficult for restrictions or laws enacted by any one country to be enforced if both of the parties to the transaction are not within its boundaries. Neither is it possible to use traditional or local methods to identify the bone fide of the other party to the transaction.

Fraud in Electronic Payments

Some industry analysis would point out that though freedom of information and lack of bureaucracy have been key factors in the adoption and success of the Internet, they are also key issues limiting the growth of Internet commerce. In particular, the risk of identity theft (see later) on the side of either the buyer or the seller is a substantial cause of concern to those transacting over the Internet. Risk of Aggregation Credit card companies are concerned about the emergence of third-party aggregators or payment brokers because they create further distance between the consumer and the merchant, and make fraud more difficult to trace. For example, aggregators may take credit card payments from consumers and in turn make payment to merchants via ACH transfers. The advantage to the merchant is that they do not need to accept credit cards directly, making it easy for very small low volume home or garage based vendors to sell their goods. A further twist is when the credit card payment becomes eMoney i.e. funds are loaded via a credit or debit card which may subsequently be used for multiple purchases. Credit card companies fear that because the initial credit card loading of the funds can result in multiple subsequent purchases using the funds, it could lead to an avalanche of disputes relating to a single credit card transaction. And if funds in such a stored value account were loaded using multiple credit cards, then who would be responsible for handling a dispute raised with respect to any of the subsequent purchases? Stored value accounts also open up the possibility of cascading fraud. For example, in the case of one US payment aggregator, fraudsters used falsely obtained credit card numbers to register and load funds into pre-paid accounts. Once the accounts had been loaded (in a single transaction per account) then the fraudsters were free to make multiple purchases against participating merchants using the funds in the account, without any further worries about credit card authentication or blocking of the stolen card details.

Identity Theft
Cited by industry analysts as the single greatest impediment to the growth of eCommerce, the use of an assumed identity is the basis of most forms of fraud. The practice is particularly prevalent in the US were detailed personal information is easy to obtain. In January 2003, the Federal Trade Commission (FTC) stated that identity theft has risen by 73% in 2002 in the US. Identity theft now represents 43% of all complaints made to the FTC. Insiders selling private information were top of the causes of identity theft, followed by Internet auctions. Victims are also receiving emails from fraudsters posing as administrators working at their ISP, asking them to reveal their account and password details to help resolve a problem with the account. Some common examples of this practice are: In November 2001, two customer services sold the personal details of thousands of credit card applicants to a third party fraudster. This allowed the fraudster to apply for credit cards at other institutions in the name of the original applicants but with her own address, resulting in the purchase of $450,000 worth of goods on those accounts.

10

Fraud in Electronic Payments

In February 2003, an online career-listing firm warned its subscribers that some fake job postings are appearing on the site, inviting applicants to provide personal details. In March 2003, data thieves used millions of randomly generated Social Security numbers to obtain the records of 55,000 students at a major university in the United States. This follows the theft of 1,400 student records by hackers at another US university in January.

Some issuing banks send pre-approved offers to creditworthy consumers in the hope that they get a higher response rate than from normal direct marketing campaigns, as the individuals only need to sign the form and return it to the bank. However, when fraudsters are in a position to intercept such direct marketing offers then they can simply accept and return the application to the bank having altered the address because they have moved house. Finding such direct marketing is not difficult for fraudsters. In some instances, identity theft can take place by fraudsters finding offers thrown out in household waste, or by intercepting the consumers mail. The result is that the fraudster will have a new credit card and PIN shipped to him at a temporary address, and will have at least a month to make purchases and ATM withdrawals up to his limit before absconding from the temporary address when his statement arrives. People with their identities stolen in this way will not just have financial problems to solve, but their credit ratings will be severely damaged making it very difficult to take out any further types of credit or loans. There is also a growing trend amongst Internet and MOTO merchants to ask for and store some personal details when you make a purchase, to be used to authenticate you on subsequent purchases. For example, a merchant may ask for your home telephone number, or mothers maiden name, or address. It should be noted that if fraudsters were in a position to accumulate information about a particular consumer from a number of merchants then they could build up enough personal information to impersonate that consumer successfully to other merchants. While this situation is unlikely, it is obvious that authentication mechanisms, which involve the consumer in parting with secret information to a third party, are inherently flawed.

11

Fraud in Electronic Payments

Fraud Prevention Techniques

The examples of fraud prevention techniques explained in this section are based on Visa methodologies. MasterCard, American Express, JCB, Diners and Discover also use similar features on their cards though the positioning and specifications may vary from brand to brand.

Hologram
A hologram is embedded in the card plastic that is difficult to copy. Though fraudsters are capable of creating such holograms, the quality of the reproduction is often poor.

Photo ID
Some issuers have taken the step of also introducing miniature photographs of the cardholder on the card. The problem with card photographs is the quality is often poor and the merchant rarely checks the photo against the person performing the transaction.

Special Characters
Visa and MasterCard have introduced embossed characters with a special font that indicates the brand or card product.

Expiration Date
In theory, the Expiration Date can limit the fraud potential of a stolen card i.e. it places a time limit on the validity of the card. However, in the case of a stolen card, it would be expected that the issuer would block the card soon after the theft, making the Expiration Date unnecessary in most circumstances as a means of controlling fraud.

Signature Panel
The signature panel contains a faded background with a Visa logo that discolors if the signature is erased. The presence of the cardholder signature itself is a key method of identifying that the cardholder is genuine for a card-present transaction. Comparing the cardholder signature on the panel against that on the receipt is the most commonly used method of cardholder verification used by merchant staff and is perhaps the only method used in many instances. For card-present transactions, the cardholder signature on the receipt is used in dispute processing as a means of verifying that the cardholder participated in the transaction.

12

Fraud in Electronic Payments

LUHN Verification
Most credit cards use the LUHN algorithm that ensures that individual digits in a PAN cannot be changed without being detected by electronic point-of-sale systems and bank authorization systems.

Ultra-Violet Printing
Some card organizations print characters on their cards that are only visible using ultraviolet light. Merchants may use ultra-violet light emitters to verify genuine cards much as they verify the hidden characters on genuine paper currency.

Magnetic Stripe
The magnetic stripe on the back of the card contains magnetically encoded data that is read by electronic POS terminals and ATMs during the transaction. The magnetic stripe contains three tracks of data based on ISO standards, though not all of the information or tracks are used by all card brands. The format of the data is mandated by each brand in their Operating Regulations documents, just as the other physical characteristics of the card are specified in detail. Track 1 was originally intended for use by airlines, but many electronic POS devices use it to retrieve the cardholder name for printing on receipts and statements. Track 2 is the standard track used by banks for card details. Track 3 was originally intended as a read/write track to allow the storage of account security and balance information, but is rarely used now for this purpose.

Card Verification Numbers

There are normally two Card Verification Numbers (CVNs) on the card one encoded on the magnetic stripe and one on the signature panel or front of the card. The CVN on the magnetic stripe provides added security where transactions are authorized at the point-of-sale, while the printed CVN is designed to protect MOTO transactions where the CVN can be quoted to the merchant over the phone by the cardholder or keyed into a web page. Visa, MasterCard and American Express differ in terms of the naming and specification of the CVNs on their cards.

Hot Card Lists

Once the issuer is informed the cardholder that their card is missing, the issuer will block the card within his authorization system, and may request either Visa or MasterCard to block the card on their switching or stand-in authorization systems. The card organizations also produce lists of cards that have been compromised and distribute these to acquirers for passing on to merchants. The Visa Card Recovery Bulletin (CRB) is an example of such a list. These lists are published on a geographic basis i.e. the issuer and card organization will determine which regions are a high risk for a stolen card to be used.
13

Fraud in Electronic Payments

In offline merchant environments, acquirers often choose to issue their merchants with electronic hot card files which are automatically downloaded into POS terminals each day when the end of day data capture or reconciliation process is triggered. This ensures that each transaction is automatically checked against the list of the most current and high-risk hot-listed cards before being sent for authorization, so that stolen cards may be rejected even if the transaction is below floor limit.

Online PIN
Online verification of a four digit PIN is mandatory for all ATM transactions, and is used for debit transactions in many parts of the world. This involves the PIN data being encrypted and transmitted to the issuer for verification. As mentioned previously, the use of mandatory PIN verification at ATMs has been highly effective leading to very low rates of fraud for ATM transactions. For these transactions, the four-digit PIN is encrypted and transmitted to the issuing bank for verification. Online PIN for debit cards (such as Maestro and Visa Debit) is very effective in combating debit fraud in some markets, though it is not used in all markets for credit card purchases.

Address Verification Service

The Address Verification Service is offered by card organizations in the US and UK for MOTO and Internet transactions. AVS checks the shipping address provided by the purchaser against the billing address used on the payment card. The AVS Service relies on the availability of postal codes within a country that have a strictly defined format and have a low level of granularity with respect to street addresses. In the US, such postal codes are known as ZIP codes. When making a purchase, the consumer is asked to provide his postal or ZIP code and this is included in the online authorization request by the merchant. The postal code is verified in real time by the card organizations switching system against the postal code registered by the issuer for each cardholder. In some instances, the merchant may choose to ship the goods to an address other than the credit card billing code if they have an outstanding relationship with the customer. The AVS Service has been available in the US for many years and has been more recently introduced in the UK. It has been shown to be extremely effective in the US at combating MOTO fraud for non-card present transactions.

Chip Cards
Chip technology represents the most effective medium-term solution to card fraud. Despite the compelling technological advantages of smart cards, the technology has been slow to take off, primarily because of the cost and complexity of chip implementation. In the US, where 90% of all transactions are authorized online, fraud is not the catalyst for smart card adoption. However in Europe, where telecommunications costs make online authorizations prohibitively expensive, chip has a viable business case. In Western Europe a mandated deadline has been set of January 2000 by which time acquirers must support chip & PIN and whereby the liability for fraud shifts to the issuer for chip and PIN transactions. Up to this point, PIN verification for ATM and POS transactions has involved the PIN-block information being encrypted via DES or Triple-

14

Fraud in Electronic Payments

DES and transmitted all of the way to the issuer, but Chip cards allow the PIN to be verified offline against the chip itself. The mandate is that basic credit and debit must be supported with offline PIN, though issuers are free to introduce value-added features, such as purse or loyalty if they choose to do so. France was the first country to implement chip technology in 1987. In its first year of operation, the Cartes Bancaires system successfully reduced fraud by 50% despite a sizeable increase in card volume. One of the challenges facing the mandated migration to chip in Europe was the lack of international interoperability. When tourists use foreign non-chip cards in France, or French cards are used abroad in countries where the chip is not read, then fraud levels increase to match levels in other countries. Fortunately, thanks to the efforts of the card organizations, all the major schemes, including Cartes Bancaires, have adopted the international EMV standard, ensuring global interoperability. Some issuers and acquirers are still concerned about the cost of introduction of chip cards into the market. Issuers will need to bear the cost of basic chip cards or invest in higher capacity chip cards if they plan to support multiple applications. Initially some subsidies may be available to them from the card organizations for such cards. But acquirers must shoulder the largest burden of cost, having to upgrade all of their networks of ATMs and merchant PoS terminals to accept chip cards. Though acquirers and even card organizations are willing to make investments in their largest merchant chains and high volume merchants, the mid-to-low end merchants may themselves have to pay the cost of upgrading their own equipment. Those merchants who fail to upgrade may experience increased fraud levels as fraudsters seek out the lowest point of resistance. The most significant factor that will contribute to critical mass of adoption of chip cards is a significant recent rise in card-present cross-border fraud due to counterfeit and skimmed cards. Cross-border fraud is estimated to be costing up to $16 million per annum in the UK alone, and is being experienced by a number of European countries. In Europe, the card organizations are promoting fraud reduction as the key business driver for chip introduction. In the US, the 2005 mandate does not apply and the business case for chip introduction is weaker because of the lower levels of fraud experienced there. However, value-added and loyalty services and, to a lesser extent, stored value purse may be seen as the business drivers. Currently, approximately 12 million Visa-branded chip cards have been issued in the US and POS acceptance of EMV is growing. Even despite the weaker business case, regular upgrades to POS systems have ensured the EMV chip acceptance in the US is over 50%. The introduction of chip cards is targeted at reducing the levels of fraud for card-present transactions, but it has the potential to be used for Internet purchases also when technology and standards are in place. In particular, it is likely that offline PIN authentication will be adopted in time as part of the 3-D Secure standard once chip cards are in the hands of the majority of cardholders.

Fraud Screening Tools

Merchants have introduced screening tools to detect fraud particularly in the MOTO and Internet space. In the merchant area, tools such as these will help merchants to differentiate low risk business from repeat customers or for low risk goods, versus higher
15

Fraud in Electronic Payments

risk transactions from new customers, overseas customers or where particular circumstances of the transaction represent increased risk. Many customers who shop from common MOTO stores such as flower shops or theatre ticket bookings will notice that some merchants request the consumer to provide some personal information such as a phone number or address which they can use for comparison purposes the next time the same payment card is presented for payment. Acquirer fraud screening tools may detect cardholder fraud, but their primary goal is to protect the acquirer from fraudulent merchants who may disappear following receipt of payment from the acquirer. Such screening tools will establish trends and patterns of transaction volumes, amounts and types for each merchant or category of merchant, and compare new transactions to those patterns. Issuers have traditionally performed velocity checking on incoming authorization requests to identify transactions which are unusual with respect to cardholders spending patterns. Such verification routines have often been included within an issuers core authorization host system. Examples of such checking are First use of a newly issued card some issuers may issue Referral responses in such cases to ensure that the genuine cardholder did receive the physical card (unless the cardholder first activated his new card by phoning his bank); Maintenance of rolling 3 or 4 day average spending, and identification of transactions which raise that average spend above a certain threshold; Monitoring of what types of goods (by Merchant Category Code) the cardholder usually buys, and identifying transactions which are outside his normal types of purchases; Identification of transactions above his normal spend for an individual purchase; Identification of purchases for a cardholder originating from a country where he does not normally do business. Identification of (non-Internet) purchases for a cardholder originating from different geographic locations within a narrow time interval.

Issuers will use these factors together with other risk measurements related to the cardholder to make a judgment on each transaction. In addition to these velocity checks, some issuers employ more extensive fraud screening tools to track transactions, identify trends and provide alerts on anomalies. Patterns of expenditure for each cardholder will be established based on variables such as the types of goods purchased, high and low amounts of purchases over periods of time, geographic areas in which purchases have been made, normal frequency of card usage and other parameters. The tools will normally store transaction data over several months and identify complex patterns based on this data, which would not be apparent when examining a limited number of transactions.

16

Fraud in Electronic Payments

Issuers may choose to implement such systems in real-time or deferred i.e. in real time the authorization request may be declined if fraud is detected, whereas in deferred mode the potential fraud is not identified until after the authorization request has been processed. Generally, real-time authorization controls are more costly to implement and issuers are wary about slowing down the response time to authorization requests if the system performance of the fraud-screening tool does not match that of their authorization host. However, delayed fraud detection means that only future transactions may be blocked for the compromised card since the current transaction has been approved and the merchant has received a valid approval code.

Internet Payment Security Methods

SSL / TLS
SSL (Secure Socket Layer) and TLS (Transport Layer Security) are commonly used to secure data traveling over open (Internet) networks. The goal of the TLS protocol is to provide privacy and data integrity between two communicating applications. Symmetric cryptography is used for data encryption e.g., DES, RC4, etc. to ensure that the connection is private. Message transport, using a keyed Message Authentication Code (MAC), ensures that the connection is reliable and has not been tampered with. SSL and TLS are layered on top of the standard TCP/IP protocol. SSL is frequently used by home banking web sites to secure account information displayed to customers on web pages.

Electronic Commerce Indicator

The Electronic Commerce Indicator (ECI) is a value within a financial card payment authorization request that informs the issuer of the card that the transaction has been carried out over the Internet, and whether any security protocol such as SSL, Verified by Visa, etc. were used to protect the transaction. It is mandated that all Internet transactions should have this value populated in the authorization request. Prior to this mandate coming into effect, it was very difficult for issuers to identify which transactions were eCommerce transactions and which were physical world transaction, and the presence of this value now makes it possible for issuers to target eCommerce transactions with fraud detection software analysis.

Manual Procedures
Many small-to-medium merchants cannot afford to implement software-based fraud screening tools and must resort to manual procedures. If the customer is from within the merchants country then the merchant may make use of locally available electoral registers or phone books to verify that the shipping address of the goods provided by the consumer corresponds to his home address. Merchants may also attempt to contact the cardholder directly using his publicly available phone number to verify that he did carry out the transaction, before shipping the goods. In some extreme cases, merchants have

17

Fraud in Electronic Payments

been known to refuse to process orders from overseas customers because their identity cannot be verified, but this practice is frowned on by the card organizations. A recent report on fraud from CyberSource has indicated that in the US many merchants approach to fraud detection is ad-hoc, uncoordinated and is not integrated into the merchants operational procedures. This means that staff who are not trained to detect fraud properly will either fail to detect high-risk transactions or may lose customers by highlighting false positive fraud occurrences. In either case, valuable time is often wasted and the rate of fraud detection is unreliable.

18

Fraud in Electronic Payments

One-Click Shopping
In recent years, a number of Internet merchants have implemented One-Click shopping. Its goal is two-fold both to provide ease and convenience to the online shopper, and to reduce fraudulent transactions. Using the One-Click approach, a consumer will be asked to register his personal details with an individual merchant including his payment card details. When the consumer returns to carry out a transaction, he only has to sign-on with his username and password in order to pay for the goods, since his payment details will be picked up automatically from the database. In many cases, the entry of only a password is required, since the merchant site will identify the user by picking up a cookie previously stored on his personal computer. For the online merchant, the benefit is that a database will be built up over time of reliable repeat customers who carry low risk when making a purchase. This allows the merchant to focus his fraud detection attention on new customers who have just registered, or those customers who have avoided registration and gone directly to the payment page. However, such databases must be protected by encryption and strong firewalls.

SET Secure Electronic Transaction

The SET standard was launched jointly by Visa International and MasterCard in 1996 as a global standard to reduce fraud in Internet commerce. The goal of the standard was to authenticate all parties to a transaction and to secure the integrity of the transaction details using strong public key cryptography. A number of pilots were undertaken throughout the world between 1997 and 2001, but the standard did not reach the critical mass needed for adoption. The burst bubble in Internet stocks in 2000 also served to delay spending by many banking institutions in authentication infrastructures for Internet commerce. Both Visa and MasterCard began to work independently on the next generation of authentication mechanisms, leading to the emergence of the 3-D Secure protocol and the SPA UCAF standard from Visa and MasterCard respectively.

Verified By Visa
In late 2000, Visa USA issued a technical specification for a consumer authentication protocol known as Payer Authentication. This was based on the concept of separating the transaction process into 3 separate domains issuer, acquirer and message interchange. During the course of 2001 and 2002 the protocol was rolled out to other Visa regions and was given the brand name Verified by Visa (VbV). The goal of Verified by Visa is to authenticate the consumer using a designated authentication code. Unlike the SET specification, Verified by Visa does not attempt to include or replace the traditional authorization methods. Verified by Visa authentication is merely an additional step that happens before the transaction authorization takes place, and therefore is easier for merchants to integrate into their business processes. Also, the basic protocol is much simpler than that developed for SET transactions. The solution involves the deployment of a software module called a Merchant Plug-In (MPI) at the merchant site or his acquirers site (if the acquirer hosts the MPI). The
19

Fraud in Electronic Payments

issuer also needs to operate an Access Control Server (ACS) that interacts with the merchants MPI via XML messages over the Internet. The other two software components in the process are the Visa Directory which allows merchant MPIs to communicate with issuer ACSs, and the Authentication History Server which is also operated by Visa and stores a log of all fully completed authentications. The transaction process is carried out in the following way : The cardholder enrolls for the Verified by Visa (or MasterCard SecureCode) service at his issuing bank and chooses his Personal Assurance Message and authentication password or PIN. The cardholder shops for goods and enters his payment details into the merchant checkout page as normal. The merchant 3-D Secure software checks with the Visa (or MasterCard) Directory and the issuer to determine whether the cardholder is enrolled for 3D secure. Provided that the cardholder is enrolled for the service, the merchant seeks authentication of the cardholder by his issuing bank. The cardholder is presented with a web page by his issuing bank that shows the details of the transaction and his Personal Assurance Message and is requested to enter his 3-D Secure password or PIN. The issuing bank validates the password or PIN against the details stored for the cardholder at the time of enrolment. The issuer responds to the merchant to indicate whether the cardholder is authentic or not, and if so, provides an authentication code to the merchant to include with the financial authorization request.

MasterCard SPA/UCAF and SecureCode

Soon after Visa launched the 3-D Secure protocol concept, MasterCard followed with a standard known as Secure Payment Application/Universal Cardholder Authentication Field (SPA UCAF). The goal of SPA/UCAF was similar to that of VbV i.e. to authenticate a cardholder prior to the event of a financial transaction. However, the technical approach taken by SPA/UCAF differed to 3-D Secure. Whereas 3-D Secure involved the flow of XML messages over the Internet between merchant and issuer, the SPA/UCAF technical approach was to assume that the cardholder would use a consumer wallet application to interact with hidden fields located on the merchants payment pages. The wallet application would extract merchant and transaction details from the specified hidden fields and the wallet would populate data the UCAF value generated by the issuer for example into the hidden fields on the payment page. At this point, the additional authentication data would be passed into the merchants payment application and sent as part of the financial authorization message to the issuing bank. Thus, the two standards mainly differed in terms of how the transaction data would be transported between the merchant and the issuer. In September 2002, MasterCard announced the launch of the MasterCard SecureCode standard that could interoperate with the 3-D Secure protocol, as well as the previously
20

Fraud in Electronic Payments

published wallet-based standard. This announcement reunited the two major brands in the use of a common technology standard for consumer authentication and paved the way for dual-brand issuers and acquirers to implement a single software solution to support both brands.

Maestro Payment over the Internet

In the summer of 2001, Maestro introduced an authentication standard built upon the previously published MasterCard SPA/UCAF standard. The goal of the Maestro standard was more than just consumer authentication it was intended to allow Maestro debit cards to be used generally for purchases over the Internet. The Maestro standard promoted the use of a pseudo-PAN and described mechanisms for both acquirers and issuers to work around for the absence of PIN-block data for Internet transactions, which is normally present for card-present transactions.

Transaction Liability Rules

Traditionally, the liability rule for Internet transaction has been that the merchant takes the liability for fraudulent transactions. Hence, the merchant is in the position that he must prove that the cardholder committed fraud or assume the loss. This mirrored the rules applied to MOTO transactions, given that the same lack of direct involvement applied between the cardholder and the merchant. This rule has left many merchants considerably at risk of fraud losses, with the intention of incentivizing them to implement fraud detection and prevention measures. With effect from April 2002 in the EU region and April 2003 in all other regions, Visa has mandated that, under certain conditions, fraud liability shifts to the issuer in instances where the Internet merchant has adopted the Verified by Visa protocol. Effectively, this means that Internet merchants who implement the VbV merchant-plug-in will be protected from fraud, moving the focus from the merchant/acquirer to the issuer to prevent fraud. This is intended to incentivize issuers to properly authenticate their cardholders to avoid financial loss. MasterCard have introduced similar liability shift for those merchants implementing SecureCode.

21

Fraud in Electronic Payments

Future Trends
The following are a series of predictions with respect to fraud-related events over the coming decade: Despite the risks of fraud outlined in this paper, the credit/debit card will remain the safest and most secure means for consumers to make payments, particularly over the Internet. The degree of protection provided to consumers by the regulations mandated by card schemes such as Visa and MasterCard are unmatched by other payment methods. This will ensure the continued growth of card payments. Based on the mandate to accept chip cards by 2005, the majority of medium-to-large merchants in Europe and other regions outside of the US will support chip by 2006 or 2007. Issuers will be most likely to purchase chips with memory capacity just large enough to support magnetic stripe contents and PIN verification only, and will wait longer before investing in larger memory chip cards which can support loyalty, purse and other value added applications. In the US market, it is thought that fraud will increase post-2005 as fraudsters seek to use non-EMV cards issued by US issuers for purchases outside of the US without the protection of PIN verification. These drivers may bring about an accelerated rollout of chip cards in the US market towards the end of the decade, but those cards will most likely be multi-application smart cards from the start. The introduction of EMV chip cards will have little or no affect on MOTO fraud. Eventually fraudsters may find a way to cost-effectively skim and create counterfeit chip cards, and the move to strengthen card security will begin again. The next step up in security will most likely take the form of biometrics using technology such as fingerprints, voice analysis or retinal scans. The volume of Internet transactions secured by Verified by Visa and MasterCard SecureCode will grow steadily as Internet transaction volumes and the global economy improves. Following the rollout of chip cards in Europe perhaps around 2007 many issuers will support PIN based cardholder authentication for Internet transactions through the chip extension to the 3-D Secure authentication protocol. The single greatest threat that will continue to raise its head this decade is the growth of identity theft. As a result of the introduction of more computerized systems in many consumer-facing institutions, there is more personal information available on individuals in electronic (and hence easily distributed) format. Indeed, if a person were to wish to truly protect their personal information in their day-to-day lives, then they may be unable to avail of a wide number of services from banks, insurance agencies, employers and merchants who all require that such information be provided to them. Protection will be unlikely to be provided to citizens until Government action is taken to regulate the use and storage of such information, and to provide a secure form of personal authentication from birth. The debate on the ownership of personal information and evidence of identity is likely to be one of the most significant and important this decade, with long lasting implications for the future.

22